SubSeven (aka Sub7 or Backdoor_G)

SubSeven (aka Sub7 or Backdoor_G) currently affects Windows 95/98 PC's and can be a bit tricky to remove. This is because the server portion can be configured to rerun itself automatically from any of four places each time the system has been rebooted. The trojan also has two files that can be configured with any name.

As mentioned above and although the server portion can have any name, it's found in the WINDOWS directory, with one of the following:"server.exe" (328kb)"rundll16.exe" (328kb)"systray.dl" (328kb)"Task_bar.exe" (328kb)

The second file is found in the WINDOWS\SYSTEM directory, with one of the following:"FAVPNMCFEE.dll" (35kb)"MVOKH_32.dll" (35kb)"nodll.exe" (35kb)"watching.dll" (35kb)

If you've encountered any names other than the above, send an email to sub7@commodon.com or click the envelope to the right.

TCP Ports 6711 and 6776 are used by default, but there's a third TCP port which is the port used in the establishment of the connection between the "client" and "server". This third TCP port can be configured to be anything, although it's commonly seen as TCP port 1243 or TCP port 1999 .

As mentioned above, the server portion of the trojan can be configured by the hacker to rerun itself everytime the system is rebooted due to an entry in one of the four locations. Provided below, are the four locations.

The first, is an entry on the "shell=" line in the SYSTEM.INI file.

The second, is an entry on the "load=" or "run=" line in the WIN.INI file.

The third, is under "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

The fourth, is under "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"

NOTE: Of the systems compromised with SubSeven, it's often found to be the first location.

Who is Responsible?

SubSeven was written by an individual known as MobMan.

Here's a picture of what the "client" portion of the software looks like.

Provided below is a screenshot of information obtained by the client portion after it attached to a PC that was compromised with the server portion. In it, it reflects information about the compromised system.

Provided below is a screenshot of the "EditServer" utility. This is the utility that allows the hacker to customize the "server" portion of the trojan. After the server part of the trojan has been configured, it's sent to the victim...

How to Remove SubSeven

Because the server portion of the SubSeven trojan can be configured to be loaded automatically from one of four locations, you'll need to look at all of the locations first. Keep in mind that several steps involve examining and possibly editing the registry. Although the steps are relatively easy, I cannot be held responsible if a mistake is made. Please use caution.

The first and second locations - The WIN.INI and SYSTEM.INI files

Step 1.Click START | RUNType SYSEDIT and press ENTER

Step 2.Click on the SYSTEM.INI file and look at the "shell=Explorere.exe" line under the [boot] section. There shouldn't be anything to the right of it. However, if yours looks like "shell=Explorer.exe Task_Bar.exe", then Task_Bar.exe is the server portion of the trojan.

Delete Task_Bar.exe from the line, save the change. Skip to the END.

Step 3.Click on the WIN.INI file and look at the run= and load= lines under the [windows] section. Because it is common to have legitimate programs on either of these lines. You should look at the name of the file that appears on the line and compare it to those above.

If you find one, delete it from the line, save the change. Skip to the END

The third and fourth locations - The Registry

Step 1.Click START | RUNType REGEDIT and press ENTER

Step 2.In the left window, click the "+" (plus sign) to the left of the following:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

Step 3.In the right window, look for a key that has a Value that loads one of the files listed above. If you don't find a file as listed above, it might mean that the server portion was renamed to something else. Note the names of any suspicious files.

What you will need to do, is open Windows Explorer and go to the WINDOWS directory. Locate each of the suspicious files that were referenced within the right window of regedit. When you find the file that's 328Kb in size. You've probably found the renamed server portion of SubSeven.

Step 4.Return to the registry and in the right window, highlight the key that loads the file and hit the DELETE key. Answer YES to delete the entry.

Step 5.Exit the Registry and reboot your computer.

Step 6.After the computer has restarted, open Windows Explorer

Step 7.Go to the WINDOWS directory and look for the suspicios file. Once you've found the file, DELETE it.

Step 8.Exit Windows Explorer.

Congratulations! SubSeven has been removed.

While Commodon Communications does not participate in or condone the activities of hacking. We recognize the need to educate persons who express an interest so they can better identify the activities associated and to better protect themselves and/or their organization. If you're interested in purchasing software for the purpose of learning the subject of hacking and Internet Security click here to visit our online store.